Phishing attacks on X accounts pose crypto scam risk to executives
A highly convincing phishing campaign is impersonating X login alerts to steal credentials, posing a direct threat to corporate executives whose compromised accounts could be used to execute crypto scams and spread market-moving misinformation.
A sophisticated phishing campaign is targeting X users with fake login alerts designed to steal credentials and bypass security protocols. The fraudulent emails perfectly replicate official X notifications, complete with the company's logo, colors, and formatting, making them difficult for busy professionals to identify at a glance.
The messages claim a new login from an unfamiliar location, such as Arizona on a Firefox Mac browser, and prompt the user to reset their password or review app access. While the advice mirrors legitimate security protocols, the embedded links direct victims to credential-harvesting websites. Users who click are routed to deceptive portals that either steal passwords directly or grant persistent access to attackers under the guise of performing a "security audit" or "troubleshooting."
For market professionals and corporate executives, an account breach carries severe financial and reputational risks. “Once the criminals have access to your account they will more than likely use it to attempt to commit further fraud including crypto scams, phishing attacks and misinformation campaigns,” says Jake Moore, a global cybersecurity adviser at ESET. A hijacked account of a known market participant could easily be weaponized to manipulate asset prices or defraud followers.
There are subtle indicators that distinguish the fraudulent emails from genuine alerts. The messages often fail to include the user's specific X handle and use vague location data. “The two biggest giveaways are the email address it comes from, and where the links actually take you,” Moore notes. X states it only sends correspondence from @X.com or @e.X.com domains, and will never request passwords via email, direct message, or reply.
Corporate security teams should instruct executives and communications staff to navigate directly to the X application rather than clicking email links if a security concern arises. “If you ever receive an email like this, it is very normal, but remember not to panic, and don’t click the links to divulge any personal data,” Moore advises. Users who have entered credentials on a suspicious site must immediately change their passwords and verify that two-factor authentication is active. X may also proactively reset the passwords of accounts it suspects are compromised.